Not all CT scans are Shrovetide, or CT scans do not walk on their own



    The categorization of information in the Russian Federation is quite extensive today. There are more than 50 secrets by types. Today we will consider one of them, but, in our opinion, very important in the context of corporate protection against internal threats to information security - commercial secret (hereinafter referred to as CT).

    Relying on the Federal Law (hereinafter the Federal Law), we analyze and logically decompose the goals, objectives and features of the introduction of the CT regime, as well as the link between the CT law and other legal acts. The analysis will be carried out in the context of corporate protection against internal threats to information security. For the convenience of perceiving information, we “marinated” all this in infographics, the full version of which is presented at the end of the article.

    Why is CT so important in terms of building an integrated system of corporate protection against internal threats to information security? Answering this question, there are several reasons. Firstly, the procedures associated with the introduction of the CT regimen quite transparently complement the audit of information security and information assets of the organization, which in turn provides a competent, effective configuration of the DLP (Data Leak Prevention) system. Secondly, the following link can be identified:

    No mode - no CT.
    No CT scan - no defense in court.
    No DLP - CT mode is ineffective.

    Decipher this bunch. If we want to defend our legitimate rights and interests in court with maximum effect in case of leakage of confidential information constituting CT, then we introduce the appropriate regime provided for by the Federal Law. We want to minimize risks as well as have sufficient evidence in court, in case of a leak, we are introducing a DLP system that will ensure the collection and fixation of these materials.

    Thus, on the one hand, we ensure that we don’t “step on our neck”, for example, not to violate the rights of workers, and on the other, how the law helps us, for example, in court when stealing confidential information, and with what tools we will prove it.

    So, the Federal Law of July 29, 2004 N 98-ФЗ (as amended on March 12, 2014) “On Trade Secrets” (hereinafter the Federal Law).

    At the beginning of the journey, everything is “gloomy” (we are talking about infographics as well :), but we will move forward sequentially and everything will be clear in the final: for what, how and why? as they say "without a single cloud in the sky." Immediately, we note that this article does not intend to describe the details of documentary processes of introducing the CT regime. The document templates are publicly available, easy to understand, and are not of interest in this context of the consideration of the problem.



    The main goal of the Federal Law is to regulate relations to establish, change and terminate the CT regime aimed at protecting information constituting a trade secret. The

    Federal Law formulates a conceptual framework. Consider the basic concepts that we will need when considering the features of the introduction of the CT regimen.

    “.. Commercial secret is a regime of confidentiality of information that allows its holder to increase income under existing or possible circumstances, avoid unjustified expenses, maintain a position in the market of goods, works, services or receive other commercial benefits ..”

    Now consider what information may contain trade secrets in terms of the Federal Law.

    “.. Information constituting a trade secret - information of any kind (production, technical, economic, organizational and others), including information on the results of intellectual activity in the scientific and technical field, as well as information on methods of pursuing professional activities that are valid or potential commercial value due to their unknownness to third parties, to which third parties do not have free access legally and in respect of which the owner of such information entered Mr. mode of trade secret .. "

    Next, we will move along the constituent elements of the law, grouped by our meaning.

    The Federal Law defines the subjects of legal relations:

    “...
    • the holder of information constituting a trade secret, - a person who owns information constituting a trade secret legally restricts access to this information and establishes a regime of trade secret in relation to it;
    • counterparty - a party to a civil law contract to which the owner of information constituting a trade secret transmitted this information;
    .. "

    The Federal Law defines the methods for transmitting information related to CT:

    “...
    • Information constituting a trade secret obtained from its owner on the basis of an agreement or other legal basis shall be considered to have been received legally.
    • Information constituting a trade secret held by another person is deemed to have been obtained illegally if it was received with intentional overcoming of the information constituting a trade secret taken by the owner to protect the confidentiality of this information, as well as if the person receiving this information knew or had sufficient grounds to believe that this information constitutes a trade secret held by another person and that the person transmitting this information is not their is the transmission of this information legally.
    .. "

    Also, the Federal Law determines the right of the holder of information to assign information to CT. In other words, the owner of the information independently determines what information is referred to CT.

    The Federal Law defines actions with information related to CT:

    “...
    • access to information constituting a trade secret - familiarization of certain persons with information constituting a trade secret, with the consent of its owner or on any other legal basis, provided that this information is kept confidential;
    • transfer of information constituting a trade secret - transfer of information constituting a trade secret and recorded on a tangible medium by its owner to the counterparty on the basis of the contract in the amount and on the terms and conditions stipulated by the contract, including the condition that the counterparty takes measures to protect its confidentiality established by the contract;
    • the provision of information constituting a trade secret - the transfer of information constituting a trade secret and recorded on a tangible medium by its holder to state authorities, other state bodies, and local self-government bodies in order to perform their functions; the holder of information constituting a trade secret, upon a reasoned request of a state authority, other state body, or local government, provides them with information free of charge that constitutes a trade secret. A motivated request must be signed by an authorized official, contain an indication of the purpose and legal basis for requesting information constituting a trade secret, and the time period for the provision of this information, unless otherwise provided by federal laws.
    • disclosure of information constituting a trade secret - an act or omission, as a result of which information constituting a trade secret in any possible form (oral, written, other form, including using technical means) becomes known to third parties without the consent of the holder of such information or contrary to a labor or civil law contract.
    .. "

    The Federal Law determines the rights of the holder of information:



    The holder of information constituting a trade secret has the right to:

    “...
    1) establish, amend, cancel in writing the regime of commercial secrets in accordance with this Federal Law and the civil law contract;
    2) use information constituting a trade secret for their own needs in a manner that does not contradict the legislation of the Russian Federation;
    3) allow or prohibit access to information constituting a trade secret, determine the procedure and conditions for access to this information;
    4) demand from legal entities, individuals who have gained access to information constituting a trade secret, state authorities, other state bodies, local self-government bodies to which information constituting a trade secret has been provided, to observe obligations to protect its confidentiality;
    5) to demand from persons who have gained access to information constituting a commercial secret, as a result of acts committed by accident or by mistake, protect the confidentiality of this information;
    6) to protect their rights in the manner prescribed by law in case of disclosure, illegal receipt or illegal use by third parties of information constituting a commercial secret, including demanding compensation for losses incurred in connection with the violation of his rights.
    .. "

    The Federal Law defines measures to protect the confidentiality of information:



    Protection within the framework of labor relations:



    In addition to the obligations of the employer and employee, this paragraph of the Federal Law also reflects some of their rights and requirements:

    “...
    1. The employee has the right to appeal against the unlawful establishment of a trade secret regime in relation to information to which he gained access in connection with the performance of labor duties.
    2. An employee shall have access to information constituting a trade secret with his consent, if this is not provided for by his labor duties.
    3. Losses caused by an employee or a person who has terminated an employment relationship with an employer are not indemnified if the disclosure of information constituting a commercial secret occurred due to non-compliance by the employer with measures to ensure the commercial secret regime, actions of third parties or force majeure.
    4. An employment contract with the head of the organization should provide for his duties to ensure the confidentiality of information constituting a commercial secret, the owner of which is the organization and its counterparties, and responsibility for ensuring the confidentiality of this information.
    5. The head of the organization shall compensate the organization for losses caused by his guilty actions in connection with a violation of the legislation of the Russian Federation on trade secrets. In this case, losses are determined in accordance with civil law.
    .. "

    the holder of information constituting a commercial secret has the right to apply, if necessary, the means and methods of technical protection of the confidentiality of this information, other measures that are not contrary to the legislation of the Russian Federation.

    In order to increase the effectiveness of the application of this regimen in an organization, it is necessary to take into account legislative restrictions on the classification of information as CT.



    This list consists of 11 items. Reflect them for the protocol :-):

    “...
    1) contained in the constituent documents of a legal entity, documents confirming the fact of making entries about legal entities and individual entrepreneurs in the relevant state registers;
    2) contained in documents giving the right to carry out entrepreneurial activity;
    3) on the composition of property of a state or municipal unitary enterprise, state institution and on their use of funds from the respective budgets;
    4) environmental pollution, the state of fire safety, sanitary-epidemiological and radiation conditions, food safety and other factors that have a negative impact on ensuring the safe functioning of production facilities, the safety of every citizen and the safety of the population as a whole;
    5) the number, composition of employees, the wage system, working conditions, including labor protection, occupational injuries and occupational morbidity, and the availability of jobs;
    6) on the debts of employers for the payment of wages and other social benefits;
    7) on violations of the legislation of the Russian Federation and the facts of bringing to responsibility for the commission of these violations;
    8) on the terms of tenders or auctions for the privatization of state or municipal property;
    9) on the size and structure of the income of non-profit organizations, on the size and composition of their property, on their costs, on the number and salary of their employees, on the use of gratuitous labor of citizens in the activities of a non-profit organization;
    10) on the list of persons entitled to act without a power of attorney on behalf of the legal entity;
    11) the mandatory disclosure of which or the inadmissibility of restrictions on access to which is established by other federal laws.
    .. "

    And in the conclusion of the Federal Law, liability for violation of the law is determined in accordance with the legislation of the Russian Federation.



    In particular:

    1. Administrative responsibility:

    • Code of Administrative Offenses, article 13.12, clause 6 (violation of information protection rules)
    • Code of Administrative Offenses, article 13.14 (disclosure of information with limited access)
    • Code of Administrative Offenses, article 7.12 (violation of copyright and related rights, inventive and patent rights )

    2. Civil liability:

    • Civil Code, Article 1253 (especially the responsibility of the information intermediary)
    • Civil Code, Article 1301 (responsibility for violation of the exclusive right to a work)
    • Civil Code, Article 1472 (responsibility for violation of the exclusive right to a production secret )

    3. criminal I was responsible for:

    • Criminal Code of the Russian Federation Article 183 (illegal receipt and disclosure of information constituting a commercial, tax or banking secret)
    • Criminal Code of the Russian Federation Article 147 (violation of inventive and patent rights)

    4. Disciplinary liability:

    • Labor Code of the Russian Federation Article 81 (termination of an employment contract initiative of the employer)
    • Labor Code of the Russian Federation Art. 243 (cases of full material liability)

    Next, we consider how the Federal Law “On Commercial Secret” is related, correlated with other legislation. We will call this section “Legislative Hub”:



    1. “Civil Code of the Russian Federation (part four)” dated December 18, 2006 N 230-ФЗ (as amended on July 3, 2016, as amended on December 13, 2016) (as amended and additional ., entered into force on 01.01.2017).
    Chapter 75. The right to a secret of production (know-how).
    Article 1465. The secret of production (know-how).


    The definition of information constituting a trade secret formulated by the Federal Law intersects with the concept of production secret reflected in the Civil Code of the Russian Federation:

    Production secret (know-how) is information of any kind (production, technical, economic, organizational and others) about the results of intellectual activity in scientific and the technical sphere and the ways of carrying out professional activities that have actual or potential commercial value due to unknownness to third parties, if such information Third parties do not have free access legally and the holder of such information takes reasonable measures to maintain their confidentiality, including by introducing a trade secret regime.

    Thus, the very concept of information constituting a trade secret is much broader and includes not only information about the results of intellectual activity in the scientific and technical field and how to carry out professional activities.

    2. Federal Law of July 27, 2006 N 149-ФЗ (as amended on June 18, 2017) “On Information, Information Technologies and the Protection of Information”.

    The Federal Law “On Information, Information Technologies and the Protection of Information” clearly divides information into publicly available and limited in access, regulated by the relevant federal laws. In particular, Clause 2, Article 5 of this Federal Law states that“Information, depending on the category of access to it, is divided into publicly available information, as well as information, access to which is limited by federal laws (information of limited access).”

    Article 8 of this law reflects the right to access information, but at the same time “sends” us to other federal laws, where a wider list of such information is given. In our case, we considered this classification above when we talked about CT.

    3. Decree of the President of the Russian Federation of March 6, 1997 N 188 “On approval of the list of information of a confidential nature” (with amendments and additions) defines this list, highlighting in it the CT:

    “...
    • Information about facts, events and circumstances of a citizen’s private life, allowing him to identify his personality (personal data), with the exception of information to be disseminated in the media in cases established by federal laws.
    • Information constituting the secret of the investigation and legal proceedings, information on persons with respect to whom in accordance with federal laws of April 20, 1995 N 45-ФЗ “On state protection of judges, officials of law enforcement and regulatory bodies” and of August 20, 2004 . N 119-ФЗ “On state protection of victims, witnesses and other participants in criminal proceedings”, other regulatory legal acts of the Russian Federation decided to apply state protection measures, as well as information on state Shields said persons if the Russian Federation such information is not related to information constituting a state secret.
    • Official information, access to which is limited by public authorities in accordance with the Civil Code of the Russian Federation and federal laws (official secrets).
    • Information related to professional activities, access to which is limited in accordance with the Constitution of the Russian Federation and federal laws (medical, notarial, lawyer's confidentiality, confidentiality of correspondence, telephone conversations, mail, telegraphic or other messages and so on).

    Information related to commercial activities, access to which is limited in accordance with the Civil Code of the Russian Federation and federal laws (trade secrets).

    • Information about the essence of the invention, utility model or industrial design before the official publication of information about them.
    • Information contained in the personal files of convicted persons, as well as information on the enforcement of judicial acts, acts of other bodies and officials, except for information that is publicly available in accordance with Federal Law of October 2, 2007 N 229-ФЗ “On Enforcement Proceedings” ".
    .. "

    4. “Tax Code of the Russian Federation (part one)” dated July 31, 1998 N 146-ФЗ (as amended on December 28, 2016) (as amended and supplemented, entered into force on July 1, 2017).
    Section 102. Tax Secret.




    In this case, of interest is a list of what cannot be attributed to CT.

    “... Tax secrecy is any information received by the tax authority, internal affairs bodies, investigative bodies, state extra-budgetary fund body and customs body about the taxpayer, payer of insurance premiums, with the exception of information:
    1) which is publicly available, including those that have become with the consent of their owner - taxpayer (payer of insurance premiums). Such consent is presented at the choice of the taxpayer (payer of insurance premiums) in respect of all information or part thereof received by the tax authority in the form, format and manner approved by the federal executive body authorized to control and supervise taxes and fees;
    2) the taxpayer identification number;
    3) on violations of the legislation on taxes and fees (including amounts of arrears and arrears of interest and penalties if any) and measures of liability for these violations;
    4) provided by the tax (customs) or law enforcement authorities of other states in accordance with international treaties (agreements), of which the Russian Federation is one of the parties, on mutual cooperation between tax (customs) or law enforcement authorities (in terms of information provided to these authorities);
    5) provided to the election commissions in accordance with the legislation on elections based on the results of audits by the tax authority of information on the size and sources of income of the candidate and his spouse, as well as property owned by the candidate and his spouse;
    6) provided to the State Information System on state and municipal payments, provided for by the Federal Law of July 27, 2010 N 210-ФЗ “On the Organization of the Provision of State and Municipal Services”;
    7) on special tax regimes applied by taxpayers, as well as on the participation of a taxpayer in a consolidated group of taxpayers;
    8) provided to local authorities (state authorities of cities of federal significance in Moscow, St. Petersburg and Sevastopol) in order to monitor the completeness and reliability of information provided by payers of local fees for the calculation of fees, as well as the amount of arrears for such fees;
    9) on the average number of employees of the organization for the calendar year preceding the year the information was posted on the Internet information and telecommunication network in accordance with paragraph 1.1 of this article;
    10) on the organization paid in the calendar year preceding the year of placement of the information on the Internet information and telecommunication network in accordance with paragraph 1.1 of this article, the amounts of taxes and fees (for each tax and fee) excluding the amounts of taxes (fees) paid in connection with the importation of goods into the customs territory of the Eurasian Economic Union, the amount of taxes paid by a tax agent, on the amount of insurance premiums;
    11) on the amounts of income and expenses according to the accounting (financial) statements of the organization for the year preceding the year of placement of this information in the information and telecommunication network "Internet" in accordance with paragraph 1.1 of this article;
    12) on registration with the tax authorities of foreign organizations
    13) on registration with the tax authorities of individuals .. "
    .."

    “The Customs Code of the Customs Union” (as amended on 05/08/2015).
    Chapter 3. The relationship of customs authorities with participants in foreign economic activity and persons engaged in activities in the field of customs.
    Article 16. Duties of the customs representative.




    “... The information received from the represented persons constituting state, commercial, banking and other secrets protected by law (secrets) or other confidential information should not be disclosed or used by the customs representative and his employees for their own purposes, transferred to other persons, except as otherwise provided the legislation of the Member States of the customs union .. "

    Summing up, we note once again that the use of a technical tool to control information flows within a corporate structure is itself tightly based on current legislation, and CT legislation can be considered as a starting point in legal issues of implementing DLP systems, as a legal tool allowing approach systematically to the issue of corporate protection against internal threats of information security.









    Also popular now: